Microsoft fixed 19 vulnerabilities in November's Patch Tuesday update, four in Internet Explorer 9, and three in all versions of the Windows operating system, including the brand-new Windows 8.

The company released six bulletins, four of which have been rated critical, according to the Patch Tuesday notification advisory. Microsoft said the update for Internet Explorer (MS12-071) and all versions of the Windows operating system (MS12-075) were the most urgent.

Microsoft has released 76 patches so far for 2012, well below the number of patches released in 2011 and 2010, which is a "win" for IT administrators, said Wolfgang Kandek, CTO of Qualys.

Just Fixing Internet Explorer 9The Internet Explorer patch closed three security flaws in Internet Explorer 9. The vulnerability doesn't affect all other browser versions, such as IE7, IE8, or IE10. The majority of enterprise users will not be affected as most of them will be running other versions, Kandek said. If left unpatched, attackers could exploit the IE9 flaws to launch drive-by-download attacks.

Microsoft rated the exploitability index as "1," indicating it expects an active exploit soon. No attacks have been observed in the wild at this time.

All Windows Versions Affected, Even Win8The three remote code execution vulnerabilities in Windows kernel-mode drivers are related to the malformed font issues Microsoft has been dealing with for a while, said Paul Henry, security and forensic analyst at Lumension. A user on an unpatched system could be compromised by visiting a malicious page using specially-crafted TrueType font files.

This attack could succeed across multiple versions of Internet Explorer, said Marcus Carey, a security researcher with Rapid7.

Windows 8, which launched last month touting its new security features and defense-in-depth capabilities, is also affected by the TrueType flaw. In fact, three bulletins, MS12-072, MS12-074 and MS12-075, affect the newer Windows 8 and Windows Server 2012 operating systems or components on the systems. Updates for Windows RT, the version of Windows 8 that runs on devices such as the Microsoft Surface, will be available through Windows Update.

Microsoft also released a patch for Windows 8 Release Preview and Server 2012 Release Candidate, despite the fact that both operating systems are now live and publicly available, said Jason Miller, manager of research and development at VMware.

"Stars Aligned" AttacksWhile the bulletin for the .NET framework (MS12-074) was rated critical, Kandek said .NET applications are turned off by default in most deployments, making it less urgent for most organizations. The two vulnerabilities in Windows shell (MS12-072) could result in remote code execution if a user browses to a specially-crafted Briefcase in Windows Explorer.

These vulnerabilities are critical, but the complexity of exploitation and the specific configurations that need to be present for the attack to succeed means they pose less risk to most organizations, Carey said.

Carey called the attack scenario "The stars must all align attack vectors."

Microsoft rated the file format vulnerability fixed in Microsoft Excel (MS12-076) as "important," but Carey argued it should be the third urgent patch for most organizations because of the nature of the flaw and number of applications affected. When exploited, the attacker would inherit the same privileges as the current user and be able to execute code remotely. It was "fairly trivial" to escalate privileges once the attacker has user-level access, and if the targeted system has the user running with Administrator privileges, it's "game over," Carey said. And there are an "unhealthy number of people" running as Administrator on their machines, he noted.

"Any vulnerability in a popular application that allows Remote Code Execution should be high on any IT administrator's list to fix," Kandek agreed. The bulletin affects every version of Excel, except for Excel 2013 released this year.

About the Author

Fahmida Y. Rashid is a senior analyst for business at PCMag.com. She focuses on ways businesses can use technology to work efficiently and easily. She is paranoid about security and privacy, and considers security implications when evaluating business technology. She has written for eWEEK, Dark Reading, and SecurityWeek covering security, core Inte... See Full Bio

Get Our Best Stories!

This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.